Just a few weeks ago, security researcher and journalist Brian Krebs reported on the arrest of two men who were suspected of running “vDOS,” one of the most pervasive distributed denial-of-service (DDoS) paid service networks in the world. DDoS as a subscription service is nothing new; vDOS was in existence for well over four years, and along with other services such as “PoodleStresser” were part of the nascent but rapidly-growing distributed denial of service-as-a-service market (“DDoSaaS” – how’s that for an acronym?)
Regardless of what it’s called, DDoS is a pervasive and incredibly dangerous problem for organizations today. According to content distribution network vendor Akamai, there were over 700,000 DDoS attacks against companies and sites in Q4 of 2016 alone. These attacks result in disruption of services, most commonly web services that may be a company’s lifeline, such as an e-commerce site or a site that offers subscription-based access to content. DDoS is just as insidious as ransomware, phishing, and other digital threats to the enterprise.
For most organizations, mitigating against DDoS attacks is pretty far down the list of security threats, and is often ignored in deference to endpoint security, phishing mitigation and other technical security controls. Blocking DDoS attacks is often thought of as “too big a project,” and DDoS mitigation has the reputation of being a “big company problem,” despite evidence to the contrary. However, there are some practical, actionable tasks that organizations can do to minimize the risks of being the next DDoS victim:
- #1: Know the Signs of a DDoS Attack. Detecting a DDoS can be difficult. By definition, a DDoS attack is distributed (that’s what the first “D” in the acronym stands for, after all), incorporating simultaneous attacks from thousands of compromised systems to generate service disruption. If you have a SIEM, are monitoring network flow data, or have an MSSP, you probably have the tools you need to detect a DDoS attack. Here’s what to look for: persistent, slow network performance, such as when accessing websites; unavailability of your website or other network resources to customers and the public, even when you have confirmed that these services are up and running; and notifications from network devices and applications that traffic and transactions are being dropped.
- #2: Implement a Next-Gen Firewall (NGFW) for Your Network Infrastructure. Firewalls have come a long way from the days of rules-based traffic blocking. Today’s advanced firewalls implement deep inspection of communications going all the way up to the application layer, and have fine-grained policies to detect and prevent DDoS attacks against many types of network services. Most firewalls sold today can enable these services optionally, and if they’re available on your devices, you should enable them.
- #3: Consider a DDoS Mitigation Provider. Even with advanced DDoS mitigation techniques embedded in NGFW’s, every organization has a finite amount of bandwidth. If even one successful DDoS attack makes it through your firewall – or alternatively, your NGFW simply gets overwhelmed with processing packets – you can still encounter a DDoS scenario. To mitigate against this, a number of companies provide DDoS mitigation as a service. They generally work in one of two models: “active,” in which all of your inbound traffic is first evaluated before sending on to your firewall, filtering out DDoS attack attempts in the process; and “passive”, in which you have redundant, inactive network links through the provider’s infrastructure, and contact the provider when you’ve noticed a DDoS attack in order to move all inbound traffic through their network.
- #4: Protect your DNS. DDoS attacks don’t just go after web servers; they also attack critical network services like DNS. Attacks such as DNS flooding and amplification attacks can make it difficult or impossible for to public to resolve your IP addresses, making it difficult to reach your website, email servers and other services. First, if you’re running an open recursive name server… don’t. Unless you’re resolving a massive number of DNS root zone queries (think Google DNS or Open DNS), then you probably don’t need your servers to support open recursive queries. Also, if you host your own DNS servers, make sure that you’ve addressed any sing points of failure, and if possible, geographically distribute your DNS servers across multiple networks. Finally, consider placing an NGFW in front of your DNS servers that can provide anti-DDoS mitigation techniques such as anti-spoofing, IP reputation for DNS query sources, dropping non-conforming queries, and enforcing time-to-live (TTL).
- #5: Limit SMTP Email Connections. Email servers are just as susceptible as websites and DNS to DDoS attack. In the case of email, attackers will send large volumes of SMTP messages to the target. This isn’t just run-of-the-mill spam: the messages are large, usually contain generic attachments that must be converted (such as MIME attachments), and are designed to max-out the CPU and bandwidth of the SMTP server. One way to mitigate this is by implementing SMTP rate limiting, which sets upper limits on the number of messages the SMTP server can receive during a period of time. Additionally, as with web servers and DNS, a NGFW can assist in blocking DDoS email traffic before it reaches your email server.
DDoS attacks aren’t going away anytime soon. In fact, the prevalence of “DDoS as a service” indicates that organized criminals are providing platforms for both other groups as well as individuals to launch these frustrating attacks. While it’s nearly impossible to fully block or deflect a highly-organized and bandwidth-intensive DDoS attack, with some basic configuration changes to network infrastructure, coupled with assistance from NGFW’s and DDoS mitigation providers, organizations can achieve the “80/20 rule” by stopping the low-hanging fruit of casual DDoS attacks.